Equivalent Keys: Side-Channel Countermeasure for Post-Quantum Multivariate Quadratic Signatures

: Algorithms based on the hardness of solving multivariate quadratic equations present promising candidates for post-quantum digital signatures. Contemporary threats to implementations of cryptographic algorithms, especially in embedded systems, include side-channel analysis, where attacks such as differential power analysis allow for the extraction of secret keys from the device’s power consumption or its electromagnetic emission. To prevent these attacks, various counter-measures must be implemented. In this paper, we propose a novel side-channel countermeasure for multivariate quadratic digital signatures through the concept of equivalent private keys. We propose a random equivalent key to be generated prior to every signing, thus randomizing the computation and mitigating side-channel attacks. We demonstrate our approach on the Rainbow digital signature, but since an unbalanced oil and vinegar is its special case, our work is applicable to other multivariate quadratic signature schemes as well. We analyze the proposed countermeasure regarding its properties such as the number of different equivalent keys or the amount of required fresh randomness, and we propose an efﬁcient way to implement the countermeasure. We evaluate its performance regarding side-channel leakage and time/memory requirements. Using test vector leakage assessment, we were not able to detect any statistically signiﬁcant leakage from our protected implementation.


Introduction
In the past few decades, computer devices have become an essential part of our everyday lives. They are used throughout all industries, including banking, medicine, transportation, and entertainment. Various embedded computer systems are used to control payments, pacemakers, and trains, and most of us carry them in our own pockets every day. In the interconnected world of Industry 4.0, the Internet of Things, cloud computing, and machine learning, our privacy, security, and safety are more endangered than ever [1]. To counteract these modern-day threats, numerous security measures must be taken to provide confidentiality, authenticity, integrity, and more.
Various cryptographic primitives are widely used, including symmetric algorithms such as AES [2] and asymmetric algorithms such as RSA [3] or based on elliptic curves [4]. One of the significant threats to such asymmetric cryptographic algorithms is quantum computation, which is expected to effectively break RSA and ECC cryptosystems. This is due to Shor's algorithm [5], which allows prime factorization and discrete logarithm solving in polynomial time, compared to exponential time on a classical computer. For this reason, the National Institute of Standards and Technology (NIST) of the United States Department of Commerce has initiated a process to standardize quantum-resistant public key cryptographic algorithms. The digital signature candidates in the third round were CRYSTALS-Dilithium [6], FALCON [7], both lattice-based schemes, and Rainbow [8], a multivariate quadratic scheme. Both lattice-based signatures have been currently recommended for standardization, with some multivariate quadratic candidate expected to be further evaluated in the fourth round. In this paper, we focus on multivariate quadratic signature schemes, which, besides Rainbow, also include the Unbalanced Oil and Vinegar (UOV) [9] and LUOV [10] schemes.
Besides classical cryptanalysis, side-channel analysis poses a threat to cryptographic implementations in general. Attacks such as differential power analysis [11] and correlation power analysis [12,13] exploit information leakage in the side-channels, such as power consumption or electromagnetic radiation [14]. More complex attacks include template attacks [15,16] and machine-learning-based attacks [17][18][19]. Successful side-channel attacks on multivariate quadratic signature schemes were presented in [20,21]. Various countermeasures against these kinds of attacks have been proposed in the literature, typically classified as either hiding or masking. Hiding countermeasures aim to conceal the leaked information in noise, e.g., by using custom secure digital logic [22,23] or additional modules such as noise generators, clock randomization, or current equalizers [24,25]. Masking countermeasures split the sensitive variable into multiple variables using random masks, thus making it difficult for the attacker to predict any intermediate values and attack. Masking countermeasures include threshold implementations [26,27] or domain-oriented masking [28]. Lightweight masking countermeasures have been proposed for multivariate cryptography, based on digest masking using a scalar mask [20,21], introducing only a little masking entropy. A more complex countermeasure, based on splitting the central map solution of Rainbow and randomizing the signing process, was presented in [29]. However, no evaluation (such as test vector leakage assessment) of the proposed countermeasures was presented in either paper. Most recently, a novel cryptanalytic attack on the Rainbow signature scheme was presented in [30], requiring reexamination of the proposed algorithm parameters and their security level.

Our Contribution
In this paper, we propose a novel side-channel countermeasure for multivariate cryptography based on private key randomization. We continue the work presented in [31] and introduce the concept of equivalent private keys, i.e., a class of private keys with the same public key. We propose a new private key to be generated prior to every signing. The adversary would then be forced to target the whole class instead of a fixed private key, making it difficult to mount a side-channel attack. We demonstrate our approach on the Rainbow algorithm. Since the UOV is a special (single-layered) case of Rainbow, our work is applicable to different multivariate cryptography algorithms as well.
We first describe the Rainbow algorithm and the notation used in Section 2. In Section 3, we introduce the general concept of equivalent keys and analyze their properties such as the number of different keys or required random bits. We further propose an efficient way to generate an equivalent key in Section 4, i.e., with fewer computational resources and randomness. Finally, we evaluate the performance of our countermeasure in Section 5 in terms of side-channel leakage and time and memory requirements. We were not able to detect any statistically significant side-channel leakage using an attack-independent test vector leakage assessment; we show that the overhead is reasonable in comparison to another state-of-the-art countermeasure.

Rainbow
Rainbow is a post-quantum digital signature, a generalization of the oil and vinegar signature scheme [8]. Its security depends on the fact that solving m quadratic equations for n variables becomes very difficult. These equations are defined by a central map F, which consists of multivariate quadratic polynomials. The central map is structured so that it is possible to solve F(x 1 , . . . , x n ) = (y 1 , . . . , y m ) using a linear equation solver. In a public key, the special structure of the central map is hidden by two linear maps, S and T, applied on an input and an output of the central map. The central map is layered, where each layer defines two types of variables: vinegar variables for known variables (randomly generated or computed from the prior layer) and oil variables for unknown variables (to be computed using polynomials in the given layer). In this paper, we used the version of the Rainbow algorithm as defined in the submission to the NIST competition [32].
Let F be a finite field and v 1 , o 1 , o 2 ∈ N the parameters of the two-layered version of Rainbow. The parameters define the number of variables and the sizes of the layers. The first layer consists of o 1 quadratic polynomials with v 1 vinegar variables with indices . . , f (n) ) is an m-tuple of n-variate quadratic polynomials. These polynomials, indexed by k ∈ O 1 ∪ O 2 , are defined as: where α i , δ (k) ∈ F are term coefficients and l ∈ {1, 2} is such that k ∈ O l . For simplicity, we changed the notation in Equation (1) in the following sense: • We restricted the polynomials, omitting the linear and absolute parts of the polynomials in the central map, resulting in quadratic forms. These coefficients are not necessary for Rainbow's security, but add more complexity. The reference implementation submitted to the standardization process considers these coefficients in the documentation, but they were not implemented in the code. Nevertheless, the countermeasure discussed in this paper can be applied to the original polynomials defined in Equation (1) as well. • We united the α and β coefficients into the λ coefficients for simplicity of notation and also included zero coefficients as described in Equation (2). We did not allow setting any (by definition) zero coefficient to a non-zero value, so there is no change from the original definition.
Applying our changes, we obtain a simple notation of the central map polynomials, equivalent to Equation (1): where k ∈ O 1 ∪ O 2 ,n = {1, 2, . . . , n} and x = (x 1 , . . . , x n ). In Rainbow, the structure of the central map F (described in Equation (1)) is hidden using two random invertible affine maps S : F m → F m and T : F n → F n . Similar to the linear and absolute parts of the central map polynomials, we also omitted translations of the affine maps. Therefore, we used two linear maps represented by regular matrices S ∈ F m×m , T ∈ F n×n . This is also consistent with the reference implementation.

Central Map in Matrix Representation
For compact writing, we rewrite the quadratic forms in the central map as a product of matrix-vector multiplication for k ∈ O 1 ∪ O 2 : The quadratic form f (k) (x) can be expressed using a matrix F (k) . This matrix is partitioned according to the structure of the central map. Submatrices F 2,3 correspond to beta coefficients. Specifically for the first layer, we obtain: The central map can be expressed as a vector of m matrices (representing quadratic forms): . . .
Secret key SK can be expressed and stored as: where The public key contains only a quadratic map P defined as

Signing and Verification Process
For document d, random salt r, and a secret key SK = (S −1 , F, T −1 ), we define h := hash(hash(d)|| r), where h, y ∈ F m and x, z ∈ F n . The pair (z, r) is called a signature.

Equivalent Key
The main idea of the equivalent key is to change the secret key SK into some other SK, which is equivalent to the original one, i.e., SK and SK both have the same public key. This equivalency was previously used for storage, computation, and randomness reduction, where only the normal form of the key was generated [31]. Our countermeasure is based on the generation of the equivalent key before each signing process. We therefore substituted a fixed key with an equivalence class containing a huge number (as shown in Equation (28)) of different, but equivalent, keys.
In our work, the equivalent key can be derived from the original key using two linear maps A and B, represented as matrices A and B, which change all three maps contained in a secret key without changing their composition: With this in mind, we define the secret key SK derived from SK as SK = (S −1 , F, T −1 ), The pair (A, B) is called Gauss sustaining transformation, where the representing matrices A and B cannot be chosen arbitrarily. They are composed with the central map F, which must maintain its special structure.
The necessary constraint is the invertibility of these matrices due to the signing process, where the inverse central map must be computed. Therefore, A and B must be regular; thus, det(A) = 0 and det(B) = 0. The compositions A • S −1 and T −1 • B can be computed simply as AS −1 and T −1 B. The composition A • F • B is discussed in the following sections.
and ∀k ∈ {1, . . . , m} : The composition is equivalent to a linear combination of F matrices. In the following equation, we show how arbitrary A affects the structure of the central map: To maintain the special structure for the first layer (k ∈ {1, . . . , o 1 }), as described in Equation (5), we must fulfill the following restrictions: 2,3 are zero matrices, Equation (17) can be rewritten as This restriction can be trivially satisfied by the following condition: Regarding the second layer, the arbitrary A maintains its polynomial structure by itself, and therefore, no further restrictions are necessary.
An applicable matrix A ∈ F m×m is therefore where Matrix A must be regular; therefore, A 1,1 and A 2,2 are arbitrary regular matrices and A 1,2 is an (possibly singular) arbitrary matrix. From the matrix A, we deduce that the linear combination is performed separately in layers (A 1,1 and A 2,2 ), and quadratic polynomials from the first layer can be combined into the second layer (A 2,1 ).
and, ∀k ∈ {1, . . . , m}: This composition changes every quadratic polynomial separately. Before we consider the restrictions on the matrix B, let us first introduce the following lemma.

Lemma 1.
Every quadratic form can be represented as an upper triangular matrix. Then, Let : F n×n → F n×n ; Q → U be a function, where U is an upper triangular matrix, such that ∀x ∈ F n : x Qx = x U x.
In Equation (25), we show how matrix B changes the structure of a polynomial in the central map. We used the same partitioning of the matrix B as we used for the matrix F (k) . Size compatibility for the matrix multiplication is guaranteed thanks to the symmetry of block sizes. We further applied the function , as it does not change the concerned polynomial and it helps us with the wanted structure. It ensures the upper triangular submatrices on the diagonal, which are required by the definition of Rainbow.
Solving this system of equations with matrix B as a variable for arbitrary central map F, where the right sides of the equations are zeroes, we obtain: where non-zero submatrices are arbitrary submatrices, except that matrix B must be regular, and therefore, submatrices B 1,1 , B 2,2 , B 3,3 must be regular.
For an insight into what is happening to the vector x (which elements are the variables in the central map), we can partition x into three different types of variables: vinegar variables of the first layer (x v 1 ∈ F v 1 ), oil variables of the first layer (x o 1 ∈ F o 1 ), and oil variables of the second layer (x o 2 ∈ F o 2 ). If we apply matrix B to the vector x, we obtain: In this situation, the variables to solve are not defined only by vector x, but the vector Bx. To be able to sign, it is necessary not to mix the vinegar variable with the oil variables of each layer. At the beginning of the signing process, we used 1 is randomly generated, thus known. We can easily compute We can immediately substitute B 2,1 x v 1 , which is already known. We still obtain a system of the linear equations that has only variables of the vector x o 1 . In the end, the second layer is solved. We can first substitute , and again, we obtain only a system of linear equations. No oil and vinegar variables (of the same layer) are mixed. This was only an insight into why the inversion of the central map can be still computed. In the implementation, matrix B is incorporated in the central map (as a generator of the equivalent key).

Analysis of an Equivalent Key
In this section, we discuss the basic properties of the equivalent key. We concentrate only on equivalent keys that can be generated according to Equation (13), with the maps A and B defined in Equation (20) and Equation (26). We start with the number of equivalent keys, and we calculate entropy where applicable. Then, we state the benefits of our masking scheme. For the analysis in this section, we considered two sets of Rainbow parameters: We note that these parameters, while suggested in the NIST standardization process, are probably already inadequate due to the recently presented attacks [30].
Lemma 3. Let M n (F q ) = {n × n matrices over F q }, with the matrix multiplication, be the full linear monoid. The order of the monoid is |M n (F q )| = q n 2 . Lemma 4. Let GL n (F q ) = {n × n invertible matrices over F q }, with the matrix multiplication, be the general linear group. The order is |GL n (F q )| = ∏ n−1 k=0 (q n − q k ) = q n 2 (q −n ; q) n . (q-Pochhammer symbol: (a; q) n := ∏ n−1 k=0 (1 − aq k ), n > 0, defined inter alia in [33]. For example: the number of 10 × 10 regular matrices over GF (16) is |GL 10 (F 16 )| ≈ 0.9336 · 16 100 , where (16 −10 ; 16) 10 ≈ 0.9336. Symbol (q −n , q) n denotes the ratio between regular matrices n × n and all matrices n × n over F q .) The proofs of these three lemmas are well known [34]. Theorem 1. The number of different equivalent keys, over a fixed secret key SK, is This is an exact number, where the left part q (... ) describes the number of different combinations of matrices A and B. The remaining part counts for the cases where A and B are regular. For GF (16), its value is ≈ 0.7092, and for GF(256) it is ≈ 0.9805. This value is dependent on the values v 1 , o 1 , o 2 , but it converges with these parameters extremely fast. For GF (16), the difference between v 1 = o 1 = o 2 = 10 and v 1 = o 1 = o 2 = 1000 is less then 10 −12 .
Proof. (Number of different equivalent keys) We show that the number of equivalent keys is the number of possible non-equal matrices A multiplied by the number of possible non-equal matrices B. This holds because both matrices are applied to different parts of the secret key (maps S and T), so they cannot interfere with each other, and they are both generated independently. We discuss the number of keys for matrix A only, and the same procedure can be applied to matrix B. Let A be the set of matrices with the structure defined in Equation (20) and a regular matrix S ∈ GL m (F q ) be the representation of the linear map S.
First, we show that the lower bound of the number of equivalent keys generated by A is equal to the cardinality of the set A. This is because a regular matrix S is multiplied by regular matrices from the set A. Thus, two distinct matrices A, A ∈ A ⊂ GL cannot generate the same product matrix: Therefore, each distinct matrix in A generates a different equivalent key; hence, the cardinality of the set A is the lower bound of the number of different equivalent keys generated by A.
Second, we show that the cardinality of the set A is also the upper bound of the number of different equivalent keys generated by A, since every equivalent key can be reached by a multiplication with a single A ∈ A. Let us examine a product of two matrices A, A ∈ A: The matrix AA has the same structure as the matrices A and A . On the diagonal, we have the products of the elements of GL, which also result in an element of the GL, and the submatrix [AA ] 2,1 can be an arbitrary matrix, thus AA ∈ A. In other words, every key reachable by subsequent multiplications with two matrices from A can be reached by a single multiplication with some matrix from A: Therefore, the upper bound of the number of equivalent keys generated by A is the size of the set A.
The previous statements imply that the number of equivalent keys generated by A is equal to the size of the set A. Every matrix A ∈ A has four parts: two submatrices from GL, one from M o 1 ,o 2 (F q ), and a zero submatrix. All matrices are independent, so the total number of matrices is the product of the numbers of different submatrices: The number of different matrices B can be computed in a similar fashion: By multiplying the results in Equation (32) and Equation (33), we obtain the total number of equivalent keys, as stated in Equation (28).
The number of equivalent keys is approximately 16 9744 · 0.7097 ≈ 2 38976 and 256 34208 · 0.9805 ≈ 2 273664 for the Ia and Vc parameters, respectively. If the matrices A and B are generated from a uniform distribution, the entropy of the generated equivalent key for the Ia and Vc parameters is ≈38,976 Sh and ≈273,664 Sh, respectively.
The beneficial property of an equivalent key scheme is an option to forget the original key and keep only an equivalent key. We were able to generate an equivalent key from an already-computed equivalent key. The equivalent key (or more of them) can be generated and prepared at any time prior to the signing process. The signing process itself then has no overhead.

Efficient Implementation
In Section 3, we discuss the equivalent key defined by matrices A and B. However, we propose choosing only a subset of these matrices with respect to: • Calculation performance; • Amount of fresh randomness necessary; • Entropy of the generated equivalent key; • Implementation size and simplicity; • Total number of keys equivalent to each public key.
With respect to the aforementioned desires, we propose using the following submatrices to generate the equivalent keys: where m 1 , . . . , m n ∈ F q , and the condition for regularity is The equivalent key generator is a tuple (A, B) defined as where A (1) , The proposed generator form is further justified in Section 4.1. The generator matrices are defined as where |a| b := (a − 1 mod b) + 1 is the modulo operation with offset (e.g., it holds that |m| m = m and |m + 1| m = 1). Indexing from zero would result in using a regular modulo operation instead. Matrices A and B can be stored as vectors of their non-trivial values: (a 1 , a 2 , . . . , a m ), (b 1 , . . . , b For further analysis, in Equation (39), we show the probability that the randomly generated matrix from the definition in Equation (34) (i.e., the matrix with generated values m 1 , . . . , m n ) over F q is regular. In Equation (39), we omit the set {1, . . . , n} in all quantifiers ∀i ∈ {1, . . . , n} and ∃i ∈ {1, . . . , n} since it is always identical, and we write only ∀i and ∃i for simplicity.
The non-zero values of the submatrices in A and B are to be generated independently from a uniform random distribution, so we can easily express the probability, e.g., a randomly generated matrix M 32 over GF(16) is regular with probability 99.15% and matrix M 64 over GF(256) with probability 99.69%.
Using the regularity probability, we can express the cardinality of M n . This can be performed by multiplying the number of all possible matrices by the probability of each matrix over F q being regular:

Justification of the Selected Generators
In this subsection, we justify the proposed form of our efficient equivalent key generators with respect to the desires mentioned in Section 4.
We propose the form of generators in Equation (34), i.e., the ones on the diagonal and the only non-trivial elements adjacent to it, so that vector-matrix (and analogically, matrix-matrix) multiplication can be efficiently performed as described by formula: Based on Equation (41), the vector-matrix multiplication M · g can be performed simply by copying the vector g to the result variable, then cyclically shifting the vector g and adding an elementwise product of the vector g and the vector of non-trivial values of the matrix M (as listed in Equation (38)).
Next, we discuss a number of different equivalent keys for our efficient generators. This is equal to the number of possible distinct linear maps of generators, in other words, the number of different matrices that can be obtained by multiplying matrices in M n by each other. We believe that these matrices generate the whole group GL n for n > 2, but we were not able to prove this claim in general (we managed to prove the claim for matrices 3 × 3, 4 × 4, 5 × 5 over Z 2 , then for 3 × 3, 4 × 4 over Z 3 , and also, for matrices 3 × 3 over Z 5 by brute force). Assuming that the following formula holds over a fixed F q and for every integer n > 2: the number of equivalent keys using the proposed efficient generators, with the possibility of generating an equivalent key from another equivalent key, would be For parameters Ia and Vc, respectively, the number of transitively reachable equivalent keys (i.e., generating the equivalent key from another equivalent key) would be approximately 16 5392 · 0.7092 ≈ 2 21567 and 256 20000 · 0.9805 ≈ 2 160000 , respectively.
The number of possible distinct equivalent keys after one generating process is |M v 1 | · |M o 1 | 2 · |M o 2 | 2 ; for parameters Ia and Vc, respectively, the number of possible equivalent keys after one generation is approximately 2 656 and 2 2368 , respectively. Assuming the equivalent key generators are sampled from a uniform distribution, the entropy of the next-generated equivalent key is approximately 656 Sh and 2368 Sh, respectively. Given this entropy, we believe that the probability of the signer using the same equivalent key multiple times is negligible. The number of distinct equivalent keys is summarized in Table 1. We further discuss the number of distinct linear maps generated in equivalent keys, as these are typical targets in a side-channel attack scenario [20,21]. The number of distinct maps S generated by the proposed efficient generator A over a single class of equivalent keys is For parameters Ia and Vc, respectively, the number of transitively reachable linear maps S is approximately 16 2048 · 0.8716 ≈ 2 8192 and 256 5392 · 0.9922 ≈ 2 43136 , respectively. After one generating process, the number of different linear maps S is |M o 1 | · |M o 2 |, that is almost 2 256 for the Ia parameters and almost 2 800 for the Vc parameters.
Lastly, we discuss the required fresh randomness. The generators A and B defined in Equations (20) and (26) use a quadratic number of random elements in regard to parameters m and n. For Rainbow parameters Ia and Vc, respectively, this corresponds to ≈39 kb and ≈274 kb of fresh randomness, respectively. The number of required random elements is linear for our efficient generators defined in Equation (36), leaving us with only 656 bits and 2368 bits of fresh randomness, respectively. This amount of randomness refers to the case when the matrices A and B are successfully generated according to the requirements, i.e., the generated matrices are regular (the probability of the randomly generated matrices A and B being regular is 96 % for the Ia parameters and 98.4 % for the Vc parameters).

Efficient Computation of Equivalent Keys
Compositions A · S −1 and T −1 · B can be computed in the same way as the multiplication in Equation (41).
The composition of A • F, where A is represented as A in Equation (36), is: The composition of F • B, where B is represented as B in Equation (36), is Upper triangular matrices (B (1) ) F where u,v ∈ F s×w is an arbitrary matrix. If the elements are stored sequentially by index k, the computation can be accelerated using word-level parallelism and vector processing.

Algorithm for Upper Triangular Matrices' Evaluation
Algorithm 1 was deduced as described in the following text. First, we rewrote output (B (u) ) F By expanding matrix multiplication, we obtain Specifically, for r = c, we obtain One term of (F |r−1| s ,r + F r,|r−1| s ) is zero, as matrix F is upper triangular and |r − 1| s = r. t := t + 2b s F s,s 10: end if 11: if m > 1 then 12: t := t + b c 1 F r,c 1 13: else if m = 1 ∧ char(F) = 2 then 14: t := t + 2b r F r,r 15: end if 16: return t The second part of Equation (49) with the condition r < c is In all sets of parentheses, there is at least one term equal to zero (note that F is an upper triangular matrix), except for two cases. The exception is iff the indices are the same. The first case is when |r − 1| s = c =⇒ c = r + s − 1. This condition can occur only when r = 1 ∧ c = s: The second case is when r = |c − 1| s =⇒ c = r + 1: In the last parenthesis in Equation (52), there is no possibility of the same indices, i.e. |r − 1| s = |c − 1| s , because r < c. In the case of char(F) = 2, we were able to skip the computation of 2b s F s,s and 2b r F r,r .
The result can be summarized as: Equation (55) for the condition r ≤ c can be rewritten as Algorithm 1.

Performance Evaluation
In this section, we present a side-channel leakage evaluation of the presented sidechannel countermeasure and a time and memory performance evaluation. We focus on the efficient equivalent keys scheme proposed in Section 4 only. We compare unprotected and protected implementations regarding side-channel leakage in Section 5.1, regarding time in Section 5.2, and regarding memory in Section 5.3.

Side-Channel Leakage Evaluation
We describe our key-vs.
-key t-test methodology in Section 5.1.1, and then, we present our results in Section 5.1.2. We used an attack-independent test vector leakage assessment methodology [35]. We were not able to detect any statistically significant leakage from the protected implementation.

Methodology
We implemented Rainbow with the proposed equivalent key scheme (using the unprotected reference implementation) on a 32-bit STM32F303 microcontroller based on the ARM Cortex-M4 core. To allow for a thorough and feasible side-channel evaluation of the proposed countermeasure, we chose Rainbow parameters F q = GF(16), v 1 = o 1 = o 2 = 8 to shorten the signing algorithm runtime compared to the Ia or Vc variants. We used the proposed efficient implementation of the equivalent keys scheme. The microcontroller was mounted in a ChipWhisperer C308 stand-alone evaluation board powered by an external 5 V laboratory power supply and clocked by a 7.37 MHz crystal.
The embedded Rainbow implementation receives a random seed from a controlling PC, which is then expanded using a linear congruential generator. The microcontroller then performs multiple signings without any external communication. Based on the generated pseudorandom numbers, the implementation generates the digests to be signed and also chooses one of four predefined private keys. This way, the microcontroller signs multiple randomly generated digests, each one using one of four randomly chosen private keys. The randomly interleaved private keys are a necessary prerequisite for our leakage evaluation methodology, as described later. When the signings are done, the microcontroller sends a checksum of the signatures back to the controlling PC, and the whole process is repeated as many times as necessary. This approach allows for a significant speedup of the measurement process.
Voltage drops over the core were amplified using the Langer EMV-Technik PA303 preamplifier and sampled using the Picoscope 6404D oscilloscope. A 10Ω shunt resistor was used. The oscilloscope had a 25 MHz bandwidth limiter enabled, and the measurement channel was set in DC 50 Ω mode (since the preamplifier acts like a DC blocker). The sampling rate was 312 MS/s, in our case resulting in over 4 million samples per trace. The measured traces were then decimated 1:10 to 31.2 MS/s to allow for a feasible evaluation while maintaining a good signal-to-noise ratio [36].
The voltage was sampled during each signing, which lasted approximately 13.8 ms. Each decimated power trace consisted of 430,560 samples. The unprotected and protected implementations were evaluated independently. For the unprotected implementation, one of the four original private keys was randomly chosen in every signing. For the protected implementation, an equivalent key of one of the four original private keys was randomly chosen, and the next equivalent key was generated from the previous one.
The side-channel leakage was then evaluated using a fixed-fixed t-test methodology [35]. The measured power traces were partitioned into four groups based on the original private key used during the signing. Welch's t-statistic was then computed between every two groups (six evaluations in total), in every sampling point independently.
The null hypothesis was that the two groups' means are equal, i.e., the original keys are indistinguishable by the mean power consumption. The hypothesis was rejected for high values of the |t|-statistic according to the Student's distribution and selected significance level. In side-channel leakage evaluation, the threshold of 4.5 or 5 is typically considered for the |t|-statistic, which must be further evaluated carefully with the possibility of both positive and negative false results in mind [35,37]. Figure 1 depicts the results of the leakage evaluations. Figure 1a depicts the results of the evaluation on the unprotected implementation, where every t-test was performed using approximately 40,000 power traces. Figure 1b depicts the results for the protected implementation, where every t-test was performed using approximately one million power traces. Each graph contains six overlaid curves, one for each key-vs.

Results
-key t-test. As can be seen in Figure 1a, many peaks reach t-value of 200 and some even exceed 300, in contrast to Figure 1b, where the threshold of 4.5 (marked by red horizontal lines) is not surpassed by the protected implementation. Therefore, we did not detect any statistically significant side-channel leakage from our protected implementation during the signing.

Time Evaluation
We evaluated the time performance on three different platforms: • The STM32F303 ARM microcontroller (a single-core Cortex-M4); • A Raspberry Pi 3 B+ single-board computer equipped with the Broadcom BCM2837 ARM microprocessor (a four-core Cortex-A53); • A desktop computer equipped with an Intel Core i5-2400 processor (four cores).
On the STM32F303 microcontroller, we used the same parameters as for the leakage assessment, i.e., v 1 = o 1 = o 2 = 8, where the secret key size is 1776 bytes. On the Raspberry Pi and desktop computer, we used the parameters v 1 = o 1 = o 2 = 32, where the secret key size is 95,520 bytes. The Rainbow algorithm runtime was measured including random number generating using a linear congruent generator, excluding hashing. All the implementations were compiled with GCC without any optimizations enabled.
On the STM32F303 microcontroller, the time to sign a document was 13.8 ms, and the average time to generate the equivalent key was 33.28 ms. The whole signing including the equivalent key generation was 3.41-times slower compared to the unsecured signing.
On the Raspberry Pi 3 single-board computer, the average time to sign a document was 7.72 ms, and the average time to generate the equivalent key was 19.87 ms. The whole signing including the equivalent key generation was 3.57-times slower compared to the unsecured signing.
On the desktop computer, the average time to sign a document was 116 µs, and the average time to generate the equivalent key was 420 µs. The whole signing including the equivalent key generation was 4.62-times slower compared to the unsecured signing.
For comparison, the randomization countermeasure of Rainbow proposed in [29] resulted in 3.31-times slower signing. Table 2 summarizes the time overhead comparison. However, our equivalent key can be precomputed any time prior to the signing, and then, the signing itself has no overhead.

Memory Evaluation
From the memory perspective, the generating of the equivalent key is not an in-place algorithm due to the matrix multiplication in Equation (47). As the key structure is the same as for the unprotected version, we further describe only the extra variables needed for the generation of the equivalent key. The generating of the equivalent key does not need a dynamically allocated memory (as we assumed predefined parameters), and the biggest heap variable is the (A, B) two-tuple itself, which only takes (n + m) · log 2 (q) bits, where log 2 (q) is the size of an element of F q in bits. Other local variables are negligible. Additionally, one can split each part of the mask to be applied separately. This can further reduce extra memory needs to max(n, m) · log 2 (q) bits.
The implementation submitted to NIST uses a special case of the secret key, where matrices S and T are specifically selected for memory effectiveness. After the generating of the equivalent key, this special format is no longer possible. As a consequence, we obtained a slightly larger secret key, where the size difference was (v 2 1 + 2o 2 1 + 2o 2 2 ) · log 2 (q) bits. For the Ia parameters, the difference was 2560 bytes, resulting in a key that was approximately 2.6% larger. Our countermeasure also requires a minor modification of the submitted implementation.
Fresh random bits are needed during the generation and even during the signing process. The amount of randomness is deterministic, except the case where singular matrices are generated and need to be generated again. For the equivalent key generation, the mode (most common value) of the required bits of randomness is (n + m) · log 2 (q), and for the signing process, it is v 1 · log 2 (q) (excluding the hashing salt). The mode is also a minimum number of required bits.

Conclusions
In this paper, we proposed a side-channel countermeasure for multivariate quadratic signature schemes. We used the Rainbow signature scheme as our use case. However, the proposed countermeasure is applicable to other schemes such as unbalanced oil and vinegar as well (UOV is equivalent to a single-layer Rainbow). We described the Rainbow algorithm and the notation used.
We proposed an equivalent private key scheme, in which a precomputed randomly generated equivalent key is used for signing instead of the original fixed private key. We examined the scheme in general and described its restrictions and security properties from the theoretical point of view. These include the number of different equivalent keys or reached entropy. We showed that the number of equivalent keys is enormous, and given that, we believe the probability of using the same equivalent key twice is negligible in practice. This efficiently prevents the attacker from mounting attacks such as differential or correlation power analysis.
We further proposed an efficient equivalent key scheme. Our scheme requires significantly less fresh randomness (bounded by the O(n)) than the general equivalent key (bounded by the O(n 2 )) and allows for faster and more efficient computation. We described its properties, similar to the general case. We described an efficient algorithm for the generation of the equivalent key.
We evaluated our proposed countermeasure using attack-independent side-channel leakage assessment with one million power traces, and we were not able to detect any statistically significant information leakage. Lastly, we described the time and memory requirements of the countermeasure. The overhead of our countermeasure is comparable to other relevant countermeasures. Moreover, our equivalent key can be precomputed any time prior to the signing, and then, there is no overhead at the time of signing.
Funding: This research was funded by the Ministry of the Interior of the Czech Republic Grant Number VJ02010010, "Tools for AI-enhanced Security Verification of Cryptographic Devices" in the program Impakt1 (2022-2025).

Data Availability Statement:
The data can be provided upon reasonable request to the corresponding author. The side-channel measurements and evaluations were done by the SICAK toolkit, available online: https://github.com/petrsocha/sicak (accessed on 27 September 2022).